Apache 2 - proxy
Contents
Principle
The proxy module allow you to expose a resource that is not directly accessible.
For instance it can redirect remote user to a specific server that can be host on a different machine or port through a simple URL.
Proxy VS redirection
| Header text | Proxy | Redirection |
|---|---|---|
| Main usage |
|
Signal a change or redirect to the HTTPS web-site |
| Action | Hidden to the user.
|
Explicit
|
Internet limits: why do we need a proxy?
Some application are not available from outside…
- For security reasons [default URL is not allowed]
- Due to network issues
How does Apache2 mod_proxy work?
The Apache2 proxy module allow you to provide access through transparent redirection.
It relies on:
- Already open port (80 or 443)
- Redirection rule
- Each service URL must be unique
- The target service must be reachable by the web server
As you can see on the previous example, the services will be accessible using some dedicated URL.
Remote “http://myServer/myService” will redirect to “http://localhost:8081”
→ The mod_proxy is none intrusive.
You don’t have to change anything in the original service configuration. Apache2 will handle all the transformations.
Proxy / redirect / rewrite - HTTP request processing
When Apache2 receive a request it will be process in the following order:
The evaluation order is:
- Mod_proxy
- Mod_rewrite
- Other modules
- Serve requested resources if no rule should apply
So, even if you enable a full redirection to HTTPS you can still use some HTTP service through mod_proxy (because mod_proxy is the 1st to be evaluate).
Installation
Enable proxy module
a2enmod proxy proxy_http proxy_ajp
a2enmod proxy_html xml2enc
Configure proxy redirections
You can configure the redirections in 2 ways:
- Through your virtual host configuration
- Through the module configuration file
Module configuration file
You have to edit / create the configuration file.
vim /etc/apache2/mods-enabled/proxy.conf
Virtual host
Just edit again your previous V.Host:
vim /etc/apache2/sites-available/myServer.conf
V.Host proxy declaration
Adjust your V.Host configuration to:
<VirtualHost *:80>
ServerName dev.daxiongmao.eu
ServerAlias www.dev.daxiongmao.eu *.dev.daxiongmao.eu
ServerAdmin guillaume@qin-diaz.com
### LOG
LogLevel warn
ErrorLog ${APACHE_LOG_DIR}/dev.daxiongmao.eu/error.log
CustomLog ${APACHE_LOG_DIR}/dev.daxiongmao.eu/access.log combined
### Redirect all traffic to HTTPS website
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
redirect permanent / https://myServer/
### No proxy here because I only want to use HTTPS
</VirtualHost>
<VirtualHost *:443>
...
#############################
# Proxy configuration
#############################
# Enable proxy
ProxyVia On
ProxyPreserveHost On
ProxyRequests Off
ProxyErrorOverride Off
## SSL support (allow to redirect to other SSL sites)
SSLProxyEngine On
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
<Proxy *>
AddDefaultCharset off
Order deny,allow
Allow from all
Satisfy Any
</Proxy>
########################
# Standard Web application - No proxy required
########################
#### Direct access without further configuration
ProxyPass /maintenance !
ProxyPass /menu !
ProxyPass /ssl !
#### Standard URL filters
# PhpMyAdmin
<Location /phpmyadmin>
Require all granted
ProxyPass !
Order allow,deny
Allow from 127.0.0.1 192.168.1.0/24
</Location>
#### Alias
# PHPSecInfo
Alias /phpsec /var/www/phpsecinfo
<Location /phpsec >
Require all granted
ProxyPass !
order deny,allow
# allow from 127.0.0.1 192.168.1.0/24
allow from all
</Location>
########################
# Proxy redirections
########################
# Proxy to a Java application running over Tomcat
ProxyPass /webdav ajp://localhost:8009/webdav/
ProxyPassReverse /webdav ajp://localhost:8009/webdav
# Proxy to a Java application running over Tomcat, with IP filter
<Location /manager>
Order allow,deny
Allow from 127.0.0.1 192.168.1.0/24 193.12.118.196
ProxyPass ajp://localhost:8009/manager/
ProxyPassReverse ajp://localhost:8009/manager/
</Location>
# Proxy to another server
ProxyPass /jira http://192.168.1.12:8080/jira
ProxyPassReverse /jira http://192.168.1.12:8080/jira
## Proxy to webmin
<Location /webmin/>
ProxyPass http://localhost:10000/
ProxyPassReverse http://localhost:10000/
Order deny,allow
Deny from all
Allow from 127.0.0.1 172.16.50.0/24 192.168.1.0/24
</Location>
## Proxy to RabbitMQ
<Location /rabbitmq/>
ProxyPass http://smartcard-mq:15672/
ProxyPassReverse http://smartcard-mq:15672/
Order deny,allow
Deny from all
Allow from 127.0.0.1 172.16.50.0/24 192.168.1.0/24
</Location>
</VirtualHost>
Some notes:
- Do NOT put a / after the target URL
- Do NOT use / as ProxyPass source, use the previous redirect permanent instead
Apply settings
Apply changes and test result
service apache2 restart
For example, Navigate to http://myServer/jira
Thanks
Special thanks to Julien Rialland for his insight regarding this part!
- Julien's blog: http://jrialland.wordpress.com/
- Julien's LinkedIn: http://fr.linkedin.com/in/julienrialland
